Pages

Sunday, September 2, 2012

This is the fifth post in the series of Teensy USB HID for
Penetration Testers. Sorry for the gap between this and the last post (almost
three months).I was not sitting idle
though, I released Nishang in between and there is a new and shiny version of Kautilya
is out :)

Let us have a look at some advanced payloads in
Kautilya.

Hashdump

This payload could be used to dump password hashes from
Windows 7 machine. To use this payload, you have to upload powerdump
meterpreter script from msf to a website (I used pastebin). The script would then be
downloaded on the victim machine later on.

On a Windows 7 machine, you must have SYSTEM privilege to
dump hashes using powerdump script. This SYSTEM privilege could be gained
by scheduling a task as an administrator to be run as system.
The second option asked during payload generation is the name of this task.

Also, this payload pastes the hashes to pastebin as a
private paste. To paste privately, you need a free account on pastebin. You
need to provide username, password and api developer key (under the api link
after you log in to pastebin) for your pastebin account.

Compile the generated output to Teensy,
connect to the victim and after few seconds you should see this in the private pastes of the pastebin account used with payload

Neat!! Now we can crack or “pass” these in further attacks. (The hashes are from one of my test system).

Keylogger

This payload runs a keylogger written in powershell and
pastes keys to pastebin as a private paste after a given interval. Here is how to use this:

Compile the output to Teensy, connect to the victim and you should see this in your pastebin account after few seconds (keep in mind the time interval you have given)

Download this and use parsekeys.ps1
script to get some meaningful data. The script requires data from this pastebin
to be copied in a text file called data.txt in the same folder as the script
and creates a file called Logged_keys.txt with the parsed keys. This is how
parsed keys should look.

The keylogger is able to log keys typed in web forms and
windows prompts. This payload works with a normal user privs (no admin required). While using this payload, please keep in mind that pastebin
limits the number of posts per day and I think the limit is stricter for
private pastes. You either need a pro account or ask me nicely for implementing
some other paste service ;) In fact, I tested this on tinypaste and it worked
cleanly. The reason I stuck with pastebin is that I have seen pastebin allowed
in many restricted environments as compared to tinypaste.

Wireless Rogue AP

Windows 7 has a nice feature called Hosted Network. This is
meant for sharing your wireless network with other devices. This feature could
be used as a backdoor. This payload adds and starts a wireless hosted network
on the victim. Then a meterpreter bind is executed in the memory using
powershell. This technique is being used from this awesome post by Matt (used in many more payloads in Kautilya). Administrative access is required for this payload.

You need to generate bind meterpreter payload using the
command in payloadgen.txt in extras
directory. The generated payload is to be copied to rogue_ap.txt in src directory. After that, create a payload using Kautilya

You should be able to see a wireless network called “wifibdoor” after the output is compiled to Teensy and attached to the victim. After successfully connecting to the network you would like to
connect to the bind payload but what would be the IP address to connect to?
Open up command prompt and look at the gateway for this wireless connection. As
this is hosted on the victim the default gateway would be the IP of victim.

Connect to the port you used for msf bind payload on the default gateway using msf
listener and bingo you have a meterpreter session. But wait, this is a bind shell what about Windows Firewall? If you look at the
source,an exception is added to Windows Firewall exception list with program name as "PowerShell Update".

Connect to Hotspot and Execute Code

I got idea of this payload during an internal pen test. In
case of that client, there was no internet access from the employees’ laptops
barring few (almost 20) websites. In such a scenario, I use this technique
which I call Injecting the Internet…hee hee.

This payload forces the target to connect to a hot spot controlled by
you thus effectively bypassing any restrictions on the internet connectivity. This forceful connection is achieved by "typing" a wlan profile on the victim, the profile is then used to make a connection. Administrative access is required for thisaction.

An ideal use case is using a hot spot hosted on a Smartphone within the
wireless range of the target machine ;) In the third option (URL where the payload is hosted), you can use either a URL hosted on a web server running on your phone (I use kWS) or a URL from the internet. The Kautilya payload expects an executble in text format at this URL.

After connecting the Teensy to a victim, we get this :)

WLAN Keys Dump

This payload dumps information for all wlan profiles on the target system, including the in
clear text and uploads them to pastebin as a private paste. A user with admin privs must be logged in for this payload to work.

Code Execution using DNS TXT queries

This payload pulls first stage of a meterpreter from a DNS
TXT record and executes it in memory using powershell. The payload makes two queries to differnt subdomains for a 32bit and 64 bit shellcode, the architecture is detected during the payload execution and the appropriate shellcode is executed. The meterpreter needs to be generated using the command in payloadgen.txt in extras directory in Kautilya.

The result is same as some of the payloads above. A nice meterpreter shell !

Obviously, you should have control of TXT
records of a domain to use this. I used a domain with zoneedit.com. It is easy
and effective to use.You can fit first stage of a meterpreter inside a single TXT record.

Wait for Command

This payload continuously queries a pastebin url for
specific content. As soon as the content matches, another URL is opened looking
for powershell script. The powershell script is downloaded and executed on the
target.

In the above example, the content of first URL is queried continuously (with an interval of 5 seconds). Whenever you want to execute powershell script on the target, change its content to that of the magicstring (which is "balwant_rai_ke_kutte" in this case ;) ) and the payload will download and execute powershell script from the second URL .

This post covered many interesting payloads for Windows in
Kautilya. In the next post in this series we will have a look at payloads for Linux (Ubuntu) and OS X. Please leave comments
and feedback. I would be glad to implement (almost) any feature request.

Not now. It would be persistent in the next update or one after that. You can achieve some persistent by using it is a start-up/logon script or scheduling it as task. Perhaps I should do a blog post on this :)

I'm following your teensy posts now for a while and have ordered some devices for security awareness trainings here in my company. They are really awesome because they create a "Wow-effect".I also checked the Peensy post and I have to say, it's becoming better and better.

Last weekend I was playing a bit with powershell as I was a little bit unhappy with the cmd.exe. (You can see what is entered on the screen). I found this very cool:Just try WINDOWS+R and then type the following:powershell.exe -WindowStyle Hidden powershell.exe

The opened powershell window is shown for about a second and then disapears. After that you can keep on typing (just try something like notepad.exe), because the window is still in the foreground, but invisible. It appears in the task manager but not in the task list (ALT+TAB).

The scriptfile itself should do the following things:- do some state handling (running 1 or 0)- act as Handler for different attack-scriptfiles (like download scriptfile posted on pastebin or others)- start different scriptfiles

In the end the teensy would just start a handler if it is not running. The handler itself would then start the attack scripts.This could reduce some side effects if the teensy is plugged in and tries to do some typings.

The powershell hidden window thing looks cool. I did a quick check and facing some issues with it.

For a "normal" powershell window this seems to work fine. But when I try to start an elevated powershell window, the hidden window is not focused anymore. Anything typed by Teensy is not being sent to the screen. Have you tried doing that?

Well I tested around a bit and didn't find a direct way to "re-focus".

But I found another way how to bypass that issue (from here: http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/09/23/a-self-elevating-powershell-script.aspx).

The powershell script below ist some kind of "sudo". You can run a unprivileged powershell (in background), then echo the lines of the script to a "elevate.ps1" script that starts the argumented script in elevated mode. That said it opens the UAC message, after clicking "OK" the script is executed with administrator privileges.

-------------- powershell sudo ----------------# Get the ID and security principal of the current user account $myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent() $myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)

# Get the security principal for the Administrator role $adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator

# Check to see if we are currently running "as Administrator" if ($myWindowsPrincipal.IsInRole($adminRole)) { # We are running "as Administrator" - so change the title and background color to indicate this $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)" $Host.UI.RawUI.BackgroundColor = "DarkBlue" clear-host } else { # We are not running "as Administrator" - so relaunch as administrator # Create a new process object that starts PowerShell $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell"; # Specify the current script path and name as a parameter $newProcess.Arguments = $myInvocation.MyCommand.Definition; # Indicate that the process should be elevated $newProcess.Verb = "runas"; # Start the new process [System.Diagnostics.Process]::Start($newProcess); # Exit from the current, unelevated, process exit } # Run your code that needs to be elevated here Write-Host -NoNewLine "Press any key to continue..." $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

some questions: what about an offline-version without going to the internet and downloading the script from pastebin or whatever?

and, 1+ for the Post from Andy: i would like to see a universal teensy which dumps every kind of passwords from the local machine and put them to a sd on the teensy or something. why? sometimes local clients are not allowed to use the internet.....

Thanks for your nice words. I need to do some teting for ascii support, hopefuly this would be addressed in next major release.

Most of the payloads are offline. Only those payloads download scripts from the internet which are big (like hashdump and sniffer) and take considerable time for typing. I will see if it would be feasible to type them locally.

Regarding the "universal teensy", I have not implemented any SD card method to keep the "learning curve" simple for new users. I want to support a Teensy (or other HID) out of the box, that is, without a need to attach a SD card etc.

Other than that, all the payloads of Kautilya are designed so that the device need not be connected to the target for more than 30-40 seconds. More functionality in a single payload means more time required for typing, thus more time on the target.

Although given there is a demand I will introduce an option or seperate payloads which make use of SD card in future.

One more thing, many environments block a storage device, even if the internal storage is used it may get blocked. Anyway, I will look to what extent storage could be supported while maintaing an ease of usage.

Awesome work man!! Just awesome. I want to work with you to build a new product, (really an improvement to an existing) a peensy. I want to add a Fram memory module to a Teensy 3.1 and create different versions for specific OS/Systems.